By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2024-22262

URL Redirect/Open Redirect

Affects

Spring Framework

>=4.3.0, >=5.3.0 <5.3.34, >=6.0.0 <6.0.19, >=6.1.0 <6.1.6

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

‍

This vulnerability (CVE-2024-22262) exists in the spring-web module when the UriComponentsBuilder class is used to parse externally provided URLs with malicious query parameters. If these URLs are improperly validated, the application becomes susceptible to Open Redirect and Server-Side Request Forgery (SSRF) attacks.

‍

According to the Common Weakness Enumeration (CWE), an open redirect vulnerability occurs when a redirect sends users to a malicious site, potentially leading to credential theft or phishing. Combined with Cross-Site Scripting (XSS), it can also compromise systems. Similarly, Server-Side Request Forgery (SSRF) attacks occur when a server processes a URL without verifying its destination, allowing attackers to bypass access controls, scan internal networks, or access sensitive documents.

‍

This issue affects multiple versions of Spring Framework.

‍

Details

‍

Module Info

Product: Spring Framework
Affected packages: spring-web
Affected versions: >=4.3.0, >=5.3.0 <5.3.34, >=6.0.0 <6.0.19, >=6.1.0 <6.1.6
GitHub repository:
https://github.com/spring-projects/spring-framework/tree/main/spring-web

Published package: https://mvnrepository.com/artifact/org.springframework/spring-web

Package manager: Maven
Fixed in: NES for Spring Framework v4.3.32 and v5.3.44

‍

Vulnerability Info

This high-severity vulnerability is found in the spring-web.jar module of the Spring Framework. It has a low attack complexity, requires no privileges to exploit, but does require user interaction, such as clicking a crafted URL.

‍

When the UriComponentsBuilder class is used to parse externally provided URLs, an HTTP parameter may contain a URL that redirects the user to an unexpected site.

‍

The issue arises from inadequate host validation when handling malicious query parameters. Even if the host of a user-supplied URL is validated, other components of the URL (e.g., query strings, fragments, or paths) may remain unchecked. When the URL is reconstructed after validation, these unverified components can introduce malicious instructions.

‍

Additionally, developers using UriComponentsBuilder often do not validate the output. Even when host validation is implemented, it may be too lenient or fail to account for edge cases, allowing malicious inputs to exploit the vulnerability. Thus, this issue results from a flaw in the class combined with insufficient validation at the application level.

‍

Steps To Reproduce

For reproduction steps, refer to CVE-2024-22243 and follow the setup instructions. The vulnerability exploits differences between browser URL parsing and Spring's UriComponentsBuilder. By using a URL query parameter like https://evil.com\@127.0.0.1, the browser redirects to evil.com instead of the intended address.

‍

Credits

L0ne1y

‍

Mitigation

Spring Framework 4.3.x is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations: